If you like, you can
email a consultant with your
question or suggestion.

Introduction

Sûnnet Beskerming Pty. Ltd. occasionally produces small reports that are for free (gratis)
distribution. The free content may cover any area that Sûnnet Beskerming operates in. Examples
may include generic security advice, specific security warnings, development practices, and application
tuning. The only caveat on reuse of information from this site is in accordance with the
following paragraph.

Use and reuse of information from this site requires written acknowledgement of the source for
printed materials, and a hyperlink to the parent
Sûnnet Beskerming page for online reproduction.
Content from this page can not be reused in a commercial context without negotiating an appropriate licence with the
site owner. Personal and educational use is granted without
additional restriction beyond an amount in accordance with the principle of "fair use". Fair judgement
is encouraged from site users as to what amounts to "fair use". Please contact
us if you reuse our content, so that we may be able to provide more specific advice when necessary to improve your
reproduction.

Sûnnet Beskerming do not normally offer services and products direct to the consumer, with this weekly column as the
primary exception. One of the primary difficulties with a weekly column is ensuring that the content being reported
remains fresh and relevant, even when it may be more than a week out of date at time of publishing. To remedy this
situation, and to provide more timely information for people who desire up to the minute news, Sûnnet Beskerming is
announcing the establishment of a mailing list which will provide up to the minute news on emerging threats, advice on
good security practices, analysis and explanation of technical news items which may have an impact on your future IT
purchases, and collation and distillation of multiple news sources to provide you with a brief, accurate, non-biased
synopsis of technology trends, with a focus on security. Sûnnet Beskerming do not restrict the focus of their
services to only one operating system or hardware platform, which allows you an equal level of service even if you do
not run the leading Operating Systems.

Having as little as a few hours warning is enough to protect your systems against rapidly emerging threats. Some of the
most prolific worms and viruses in existence can infect all vulnerable systems within a matter of hours, so every second
counts. This is where having Sûnnet Beskerming services helps.

As a recent example, you would have been informed of the recent network compromise which resulted in up to 40 million
credit card details being compromised a full 12 hours before it was being reported in the major Information Technology
news sites, and more than four days before it was being reported in the mainstream media.

Sometimes we are even faster than Google, being able to deliver timely, accurate information before any related content
appears in the Google search results.

Not many people can afford to be dedicated full time to searching and identifying this information, and so tend to find
out once something bad has already happened to their systems. Let Sûnnet Beskerming use their resources to bring you
this information before you find it out the hard way.

Sûnnet Beskerming are offering a free trial membership period for consumer subscribers to the mailing list (Businesses
have their own, similar list, with added services). For subscription information, or more information, please send an
email to info@skiifwrald.com.

Windows 95 Turns 10 - 29 August 2005

Ten years ago, last week, saw the introduction of one of the most influential software applications of the modern
computing era (August 24, 1995). Microsoft released their Windows 95 Operating System to eager PC users, the first
32-bit Operating System for personal computer users running IBM-PC compatible systems. IBM and Apple looked on in
interest, as Microsoft was finally releasing their much-hyped next generation Operating System, which would bring
to the mass market many features which OS/2 (IBM), and System 7.5 (Apple) had provided to their respective users.
Although not a true Operating System at that stage - it was a graphical application which rested on top of a
modified MS-DOS, it was a resounding initial success.

For many years, IBM-PC compatible users had dismissed the mouse and the graphical user interface (the GUI), as
merely toys, something that 'real' computer users could do without. The release of Windows 95 changed that approach,
and allowed Microsoft to aggressively pursue their goals of increasing the size of the Personal Computer industry.
This was spectacularly achieved with Windows 95, and the following consumer version of Windows 98. Unfortunately,
a large number of the new computer owners (and users) had no in-depth knowledge of how their systems worked,
preferring to remain in the position of knowing how to achieve the tasks that they needed to, ant not much more.

Even with this success, it may have laid the seeds
for the persistent security problems facing Microsoft Windows users, even now. While the security of the competing
consumer, and business, Operating Systems was not all that advanced, Microsoft's mass market appeal made it more
susceptible to future abuses, as it fostered the introduction of a large, semi computer-literate userbase. The
slow recognition of the emerging importance of the Internet was an extremely costly mistake for Microsoft. The
addition of an Internet browser (Internet Explorer) was such a late inclusion that it was not present on retail
copies of Microsoft Windows 95, but was on the OEM versions.

The power of the new Operating Systems gave software developers a very useful development environment, and the low
level of security knowledge at the time meant that developers were not too concerned with possible abuses of their
applications such as buffer overflows. In the gold rush to release software, security took a back seat, along with
multi-user management (especially difficult in a single user Operating System), and the after-effects are still
being felt now, as the descendants of this coding approach are being exploited in the modern networked computing
environment.

Some of the sharper historical wits have highlighted a unique coincidence with the release date of Windows 95. August
24, AD 79, was the date that Mt. Vesuvius erupted, burying the cities of Pompeii and Herculaneum. Perhaps a parallel
can be drawn with the effects of Windows 95 on modern computing.

In some more positive news for users of Microsoft's Internet Explorer, it has been
suggested that the anti-phishing
component of Internet Explorer 7 will be provided to users of Internet Explorer 6, via a plugin to the MSN Toolbar.
In addition to needing Internet Explorer 6, Windows XP with Service Pack 2 installed will be needed as the underlying
system. There is no news as to whether other versions of Internet Explorer, or Microsoft Windows, will have the
protection made available.

The recent Zotob worm release, covered in last week's column, has already seen a number of
arrests over the creation and released of it. Because of the
relation to the earlier Mytob worm, authorities are confident that they have arrested the originators of that worm
as well. Given the willingness of companies that have been hit with damaging worms to call for severe punishment
(to hide their inability to protect their systems), and the history of the German teenager (Sven Jachsen) who
released a Sasser variant, it is likely that the people currently in custody are to face some significant jail
time. The arrests were carried out in Morocco and Turkey, and it is not known whether there will be any attempts to
extradite the suspects to other countries to face different legal systems - although the FBI are currently indicating
that they will not be seeking extradition. From the reporting surrounding the case, it appears that the teenage
Moroccan was the author of the Zotob and Mytob worms, writing them for the Turk, who paid for their creation.

The FBI was involved with tracking down the suspects, and utilised technical assistance from Microsoft in finding
the source of the worms. The Moroccan teenager was known online as Diabl0, an identity which was already known as
the originator of the worm. Various security mailing lists were fully aware of the identity Diabl0, but not the
real person behind it. It was suggested that the slipup was the result of the Turkish hacker attempting to move
funds from users whose systems had been compromised, but the case is still under investigation. The tracking and
identification of the suspects was achieved through electronic means only, separating it from Sven Jachsen's case,
where he was identified by associates.

The popular open-source media player, mplayer, has recently been found to be vulnerable to a memory overflow attack
which can result in the execution of code of choice by remote attackers any time that a specially crafted audio or
video file is opened. The existence of mplayer has been a boon for a lot of Linux users, who have otherwise been at
a loss for being able to replay audio and video without booting into another OS. All versions prior to 1.0pre7try2
are vulnerable, and the recommendation is to upgrade to this version. While it is not known whether it is being
actively exploited, it could become the basis for a worm that would spread through Linux based systems (one of few
possible chances).

With similar news circulating for a while now, another set of weaknesses has been found in the various in-room
electronic services provided in many hotels around the world. While most of the vulnerabilities that have been
disclosed to date are the result of an incorrect installation and setup, the most concerning reports suggest that
the core services are vulnerable to various active and passive attacks, including capture of all traffic crossing
the network (i.e. view other hotel clients' mail and websurfing), and insertion of content of choice (i.e.
reprogram all television channels to show the adult PPV movie, which has also had payment restrictions bypassed).
When traveling and staying in a hotel which offers these sort of facilities, it is important to apply the same sort
of caution to your online activities, as you would in an Internet cafe. Essentially, any network connection made
from such an environment should not be considered a trusted connection, and you should apply your own internal
checks and balances to ensure against compromise.

Were You Caught Out? - 22 August 2005

It didn't take long for the worms and exploits to begin circulating following Microsoft's monthly security
patch release. One of the earliest vulnerabilities to be exploited was the Plug and Play vulnerability in
Windows 2000, which was patched with MS05-039. By the weekend following the patch release (i.e. last weekend),
early versions of a worm called Zotob were circulating. Bearing a strong naming similarity with the Mytob
family of worms, analysis suggests that Zotob is a Mytob derivative, replacing the Mydoom code with code
specific to the Plug and Play vulnerability. Rapid evolution has already seen the original Zotob worm pick
up a mass emailing component, which provided it with two infection vectors, through email and through the
Windows 2000 Plug and Play vulnerability. The email infection vector allows it to target all versions of
Windows from Windows 98, onwards, which were otherwise invulnerable to the Plug and Play issue.

Zotob creates an IRC connection on the compromised system, effectively turning the computer into a remote-controlled
'bot', part of a hacker's network. Users might find that they are unable to view webpages, as they are being
redirected to the local loopback address (127.0.0.1), and access to sites such as eBay, PayPal, Amazon, Anti-Virus
vendors, and Microsoft Update might be blocked.

By mid last week, Zobot had also seen the arrival of a number of competing worms, including IRC bots (IRCBot-ES),
which have a much easier infection mechanism once a network has been compromised.

Microsoft's patch for the Print Spooler vulnerability, a part of the recent security patch release, appears to have
re-activated the service on machines that it has previously been disabled on. A number of reports from end users
indicates that the spoolsv.exe file is trying to contact systems other than the one it is hosted on, and that this
behaviour occurs following the application of the Microsoft patch.

Following the initial rush of blood, and claims that the sky was falling, which accompanied the release of Microsoft's
security patches, it appears that the panic level has returned to normal, with the Zotob worm appearing to have
infected the majority of naturally vulnerable Windows 2000 hosts, and no apparent forthcoming worms for the remaining
vulnerabilities. Detailed exploit code has been distributed for a number of the other vulnerabilities, with
Internet Explorer's vulnerabilities drawing special attention. In addition, other product suppliers are beginning
to find that they are also vulnerable. A range of Cisco products which are based on the Windows Operating System
have been announced to be vulnerable to at least a Denial of Service as a result of the current crop of worms.
Operators of Cisco equipment should contact Cisco to ensure that the products being used are suitably protected.

Even though the infection rate appears to be stabilising, a number of companies have disclosed that they were
compromised by the worms. This list includes Daimler-Chrysler and General Motors (Holden), where
multiple plant infections cost tens of millions of dollars worth of lost productivity just within the vehicle
manufacturers. At least a hundred million dollars worth of lost productivity would have resulted as these major
manufacturers would have been unable to properly handle deliveries and incoming products from external suppliers.
Media agencies such as the American networks ABC and CNN were also affected, with newspapers
The New York Times, and The Financial Times also falling victim to infections. Other reports
suggest that Disney, AMEX, Cingular, AOL, GE, Caterpillar, and
UPS were also affected. Numerous other companies will have also been affected and would have lost significant
productivity due to their internal Information Technology system downtime. Even more worryingly is the inappropriate
action being taken by system administrators in their efforts to either mitigate or clean up the effects of the
worms. Some organisations withheld the clean up process for 24 hours after the infections took hold, while others
ignored the significant public reporting before recommending inappropriate actions (such as no Internet usage, when
the primary worms spread independent of websites visited) prior to attempting mitigation procedures, three days
after the initial mass infections.

Although IT is generally regarded as a cost centre for businesses, it is worms like this which can drive home the
point that IT has become an essential part of most modern businesses. Again, Windows users are extremely lucky that
the worm developers were generally incompetent in their development of this worm. In their rush to release first, the
Turkish hackers who created Zotob took a number of shortcuts. If Zotob, and the related worms, had a more robust
means of determining the next set of targets (it only infects the local subnet), then it could have spread much
faster. If it had a properly developed payload, it would not have forced Windows 2000 machines to continually reboot,
instead it would have destroyed data, or sent it out to the remote hackers. There was some evidence that they were
monitoring the end infections, but they did not really capitalise on this information. If a worm could only send
out 100 copies a second, but could potentially infect 1% of the total Internet address space, it would saturate
the Internet in a matter of minutes, rather than the ongoing efforts that the current worms are engaged in, when
the vulnerable targets are probably much more than 1% of the total Internet address space.

Some observers are likening this latest mass worm threat to Windows, and the continued usage of that plaftorm by most
users, to the unfortunately named 'Battered Wife Syndrome'. The syndrome is characterised by a person who,
subject to ongoing physical and mental abuse from a partner, becomes unable to take independent action to remove
themselves from the situation. The victim tends not to seek advice or assistance from others, or even fight back
against the abuser, and can even convince themselves that they are the problem. They also believe the statements
from their abuser that they (the abuser) have changed, and will not do it again.

The observers that have drawn the parallel with this syndrome point out that Microsoft has abused its monopoly position,
generally lied to users about security, and have a long record of security problems which have caused significant
losses for end users. They point to the unethical business practices, responsibility-avoiding EULAs, accusations
of piracy (and associated audits), and continued promises that 'things will be better, next time' as being ongoing
examples of Microsoft's abuse of their situation, while still keeping most of their end users on the Windows
Operating System.

Defenders of Microsoft have countered with pointing out the increased efforts being taken by Microsoft with respect to
the security of their products.

The online crime of the moment, Identity theft and Internet fraud, has attracted some more attention from the mainstream
media. The ABC Four Corners program, broadcast Monday 15 August 2005, briefly investigated the CardSystems 40 million
credit card breach, and the disclosure of identity information by sub-contracted IT support staff in India. Regular
readers of our online column would have already been aware of these breaches, a number of weeks (and months) ago,
when they originally happened. The broadcast of the program has had some wide reaching effects. One of the firms
which was identified for selling this information,
Nasscom, has claimed that it was set up, and are stating that they will work with Australian law enforcement agencies.
The damage control spin being applied by the company includes pointing to the fact that no formal complaints have been
filed, and that India is not the only country which is responsible for identity theft breaches. Also following up on
an Identity theft issue, an AOL employee who sold 90 million AOL screen names and email addresses and then sold
them to spammers, has been jailed for 15 months, and fined $83,000 USD, which is three times what he earned from
the sale of the information.

Identity thefts continue to be reported in the United States, with more than 30,000 USAF Officers being notified that
they may have had their data compromised following a
hacker breaching
the Assignment Management System (AMS), which contained a significant amount of personal information. The USAF does
not believe that there was any sensitive information stolen, but are notifying the personnel involved as a matter of
course. According to the reporting, the breach was the result of a legitimate logon that had been copied. The breach
was initially identified between May and June, and an exceedingly high level of activity was noticed in the account
that had been compromised, which led to the investigation.

Following news from a couple of weeks ago, when the veracity of the MD5 signature on some speed camera images was
called into question during a court case, a paper has been released
at the Crypto 2005 conference which details an improved attack against the SHA-1 hashing algorithm implementation. One
of the issues that faces hashing algorithms is a phenomenon known as a 'collision'. Because a hashing algorithm creates
output of a fixed length (128 bits in the case of MD5), and there are only a finite number of options for each bit, it can
be deduced that two different original inputs will exist that will output the same hash when passed through the algorithm.
This is known as a collision. Cryptography researchers continually research for improved methods to break and improve
existing cryptography functions, and a group of Chinese-led researchers has discovered a method which reduces the
theoretical effort required to create a collision of SHA-1 hashes to slightly more than the sixty-third power of two
operations. A brute force attack, which basically checks for each and every possible hash that could exist, should
take around the eightieth power of two operations to discover. The reduction of almost twenty powers of two in terms
of operations for discovering a collision means that an implementation is feasible with modern consumer personal computer
power (most likely in a clustered configuration).

According to reporting from The Register,
last week, the United Kingdom has brought its Information Technology procurement procedures in line with those in use by
the European Union. This move will mean that government tenders can not mandate which processor platform is to be used
by contractors in delivering a required outcome. The root of this issue can be taken back to the ongoing litigation
between AMD and Intel, where AMD is claiming that Intel has abused its monopoly position to effectively suppress
competition. The new acquisition procedures must now use generic technical terms to reference the requirements
being sought in government contracts.

There was some crazy news from the United States of America last week. Following a decision to provide students with
Dell Laptops, the Henrico Country Schools in Virginia, USA, offered the superseded Apple iBook laptops for sale at
$50 USD each. Although they were fairly recent models (12" screen, 500MHz G3), 1,000 laptops were being sold at this
price, when the approximate market price is $200 - $300 USD. News of the extreme bargain attracted several thousand
interested people, who stampeded when it was
quickly obvious that there were more bargain hunters than computers. In the ensuing melee, it was reported that one
person was assaulting others with a fold up chair, a lady soiled herself (fear or excitement?), a stroller was crushed,
an ankle was broken, people were pushed to the ground, and someone tried to drive through the crowd in a car.
Police in riot gear were required to return some semblance of order to the large crowd.

The Coming Storm - 15 August 2005

A broad range of vulnerabilities have been disclosed and patched by Microsoft with their monthly patch release.
The impact of the vulnerabilities range from local user privilege escalation (e.g. normal -> admin), through
remote Denial of Service, to potentially total compromise of a vulnerable system. Exploits for a number of the
issues are already in active circulation, and have been for some time. For detailed description, reference
should be made to the applicable security updates from Microsoft. It is strongly recommended that all Windows
users update to the latest security patches.

The vulnerabilities are being actively exploited on a wide scale. Although exploits were circulating prior to
the patch releases, there has been an explosion in the number of attacks, with the start of the working week in the
US expected to be a critical turning point. The Universal Plug and Play vulnerability is expected to become a major
exploitation route, with multiple examples of exploits currently circulating.

A number of months ago, Microsoft announced the existence of their Honeymonkey network. Similar to a Honeypot,
which is a fake server which is designed to lure malicious attackers to demonstrate their skills, a Honeymonkey is a
system which is designed to actively surf a network and monitor for any automated style attacks. According to
SecurityFocus, the Microsoft project has already identified
nearly 300 sites which launch automated attacks against standard Windows XP systems, including one claimed 'zero-day'
exploit. A 'zero-day' exploit is an exploit which has been released without the target software vendor being aware of
the vulnerability being exploited. The exploit in question uses the JView vulnerability which was mentioned last
month in this column. The JView vulnerability is just one symptom of the underlying COM Object instantiation problem,
and the early news notification was suggesting that exploits were in the wild at the time (so it appears that
Microsoft missed the boat on this one, again). The vulnerability exploited by the so-called 'zero-day' exploit
was fixed in the recent 'Black Tuesday' updates from Microsoft.

News surfaced a little more than a week ago about moves by the US Government, through the FCC, to expand the
Communications Assistance to Law Enforcement Act (CALEA). This is apparently being done to ensure that law enforcement
agencies will still be able to conduct wiretaps even if alternative communications technology such as VoIP is being
used. The practical implementation of the expansion is requiring networking hardware vendors to include a 'backdoor'
in all their products, which can allow for access by law enforcement agencies as required. There are significant
privacy and security concerns which arise from this expansion of the CALEA. From a security standing, it creates a
known weakness in all networking hardware, a weakness which will not remain secret forever. Privacy activists are
worried, because the access being granted allows for all the traffic flowing through the hardware to be grabbed (even
if the CALEA provisions don't allow it).

Some observers have suggested that it is a slippery slope trying to maintain an effective balance between privacy and
oversight. Although it has been said multiple times, the Internet is not a medium for storing or transmitting
information that should not be seen by everybody. It is not a suitable place to store confidential information, and
users should not expect to maintain confidentiality. Wireless technologies and the rise in broadband connections only
makes it more difficult to ensure that adequate trust exists. Assuming that the Internet is anything other than that
is a dangerous and naive stance to take, and is what leads to people getting themselves into trouble unintentionally.

One industry which has introduced strict rules in an attempt to enforce a reasonable level of information security
is the Medical sector. Laws such as HIPAA are designed to ensure that adequate steps are taken in order to protect
client privacy and medical results. Efforts to digitise medical records are fraught with greater risk of information
disclosure, although it can expedite the net care delivery, which is the desired outcome. Various Governments in
different countries have attempted to implement electronic medical records management, with varying levels of success,
such as the OACIS system in South Australia, and the NHS Medical Record System in Britain. The NHS project has been
a spectacular failure in terms of money spent, and lack of deliverable results. The Times came out with an
article which claims that a large number of
end users are becoming demoralised with the system, and that the £6 billion GBP system might be better off being
written off. The project is already the most expensive Information Technology project in Britain, and the article
claims that there are fears that the total cost of the project could explode to £30 billion GBP over the next
10 years. In a spectacular example of shooting the messenger, the report which prompted the article blamed the
disaffected users for the delays in implementing the project.

Another company which has recently been shooting messengers publicly, is Oracle (of course Cisco has done it, too).
As a part of their series on Information Security specialists, ZDNet Australia interviewed the Chief Security Officer
at Oracle. The resulting article was more of a PR piece than a detailed look at the security practices at Oracle,
which makes it like the other articles in the series by lacking real depth of technical information. What did make
the article, however, was clear indication that Oracle (amongst other companies) prefers to shoot messengers who are
bearing information that they don't want to know about, or admit to. One of the responses by the Oracle CSO appeared
to be establishing an 'us and them' approach to security vulnerabilities, denigrating the input from independent
security researchers.

When a short lead time is given between vulnerability notification and public release (such as a matter of days), it
places software vendors in a bind as they are unable to produce results, even if they throw resources at fixing issues.
When the software vendors have had several hundred days to fix reported vulnerabilities, however, their complaints
about unethical treatment from the independent researchers wear a little thin, especially if the vulnerabilities
remain unfixed.

In the defence of the software vendors, it does become difficult to implement security fixes without breaking other
functionality that the application has. This is especially true with any large scale application or product line, where
the codebase is immense. As a result, being able to respond in a timely manner with a fix is sometimes near to
impossible.

Snake oil is still being sold by the marketers, as the 'unbreakable' databases from Oracle aren't as secure as they are
made out to be, and the 'self defending' network hardware from Cisco can't prevent against itself being attacked. If
your security is not at a suitable level, then people will tell you about it.

In shorter news, Japanese online music purchasers have recently gained access to a localised iTunes Music Store, and
have celebrated the access by purchasing a million tracks within the first four days. Australian online music buyers
are still unable to utilise the popular online music store, with rumours suggesting that the holdup has been as a
result of music companies holding out for a better deal.

Multiple news agencies were reporting mid
last week on the settlement between Microsoft and notorious Spammer, Scott Richter. The settlement is conditional on
the lifting of bankruptcy claims by Scott Richter, and his company OptInRealBig.com, along with compliance with extant
anti-spam laws, and acceptance of three years oversight of his operations. Notorious as a former 'Spam King', as one of
the top 3 global spammers, Richter has since cleaned up his act significantly, recently being removed from a list of
Known Spam Operators. The $7 million USD settlement also includes a statement of contrition by Richter.

From Rock to Quicksand - 08 August 2005

Microsoft's termination of mainline support for Windows 2000 might be coming back to bite them. A couple of
known flaws with various Windows services could result in the total compromise of Windows systems, including
Windows 2000, XP, and 2003. The vulnerabilities have not been publicly identified, but it is only a matter of
time until the hacking community discovers and exploits them, or the information leaks from the discovering
researchers. Apparently the vulnerabilities reside in a core service of the NT derived Windows OS variants,
one which can not be simply turned off. Because Microsoft has terminated mainline support for Windows 2000,
this suggests that there will not be any patch or service pack to be released to fix the issue for Windows 2000.
Security patches however, will continue to be released, but the initial reporting suggests that a simple security
patch is not going to be sufficient. Hopefully this is not the case, as many users have decided to stay with
Windows 2000, because it works, and it would cause major problems if a worm as virulent as Blaster managed to
exploit these vulnerabilities. The problem with the Blaster and Sasser worms was that they were poorly
designed, forcing a local denial of service, when a well designed worm would have resulted in a complete
stealth takeover of the PC, which is the big risk with the new vulnerabilities. Paralleling this system flaw
is an unpatched vulnerability with the handling of .mdb files (Access files), which can allow for complete
compromise of a system. Again, this flaw affects Windows 2000, and later, and Microsoft Access and Office from
version 2000, on. This flaw was initially publicly identified in April, and exploit code is beginning to appear
on various mailing lists.

Details emerged last week of a set of techniques to capture information that is entered via software keyboards,
particularly used in various online banking logins. A software keyboard is a representation of a keyboard that
appears on the screen, and users click on the representation of keys that correspond to their password / PIN. They
have been designed to overcome keyloggers capturing banking login details as a user enters them from the keyboard.
The suggestion is that keyloggers are evolving to introduce these new techniques (which will not be published here),
effectively neutralising the protection offered by the software keyboard. Even though these techniques are new,
there have already been worms released which have targeted various implementations (such as eGold), but they have
not been all that widespread in terms of infection rates.

Researchers in the USA and Japan have recently published papers describing methods that could be implemented to
identify and avoid passive network monitoring tools used to track Internet threat emergence. Centres such as the
Internet Storm Centre, operated by the SANS Institute, use networks of systems that monitor various Internet
addresses, and track the traffic patterns being sent across them. These loose global networks are comprised of
machines that have their physical and network locations kept secret, in order to prevent poisoning of results or
avoidance of detection. The methods described in the papers suggest that it could take as little as a week for an
attacker to determine the location of theses machines, and map out their network. The implications of this are
important, as the information gleaned from these networks could be compromised through a number of methods. A
rapid-spreading worm could specifically avoid propagation to those addresses, giving the worm more of a time
advantage before defences are organised. Conversely, the monitoring network could be flooded with fake data,
neutralising the effectiveness at identifying emerging threats, which could then allow a real threat to gain a
sustainable foothold before a response can be arranged.

The Cisco vulnerability presentation that was reported on last week continues to cause trouble for various groups.
Increased numbers of companies and security firms are getting edgy, while they wait for the malicious hackers to
automate an attack against the Cisco IOS Operating System, which runs on most Cisco hardware. The chest beating
continues from various people and groups who feel threatened that a threat has emerged which they can do nothing
about, and have no idea of what to do, but still feel the need to add their voice to the current cacophony. The
responses are an interesting mix of fear, alarm, calmness, irrationality, and level headed-ness, and it has seen
reporting of other security vulnerabilities essentially dry up as people rush to investigate the vulnerabilities
which could bring the Internet to its knees.

Following on from the vulnerability news, Cisco's main website was announced to have been vulnerable to an SQL
injection attack (database control from the webpage), which potentially exposed the entire account database
(particularly passwords). Users who held an account with cisco.com were presented with a dialogue advising them
that their password had been reset, and would be available to be sent to the email account they had registered from
initially. The freeze on the logins caused trouble, as this site is where patches, bug reports, and other support
items are available from. It was suggested by some inconvenienced users that whoever compromised the cisco.com
passwords could potentially have access to passwords for multiple client systems, such as corporate networks, and
cisco.com account holders should start changing their passwords. This last statement is not a failure of Cisco,
rather it is a failure of the security policies of the users who maintained similar (or the same) passwords for
multiple services.

The requirement for account holders to email from the email address that registered the account has also been proven
inadequate. Testing by various testers indicated that spoofed From: and Reply-To: headers would result in a hacker
being able to obtain the new password for a Cisco account holder. It has been suggested that more than 3 million
accounts were directly affected by this recent breach, which is enough to cause worry amongst many customers.

The latest fad in Internet technology, after the XML RSS that is PodCasting, is VoIP (Voice over IP). Although it
has been growing quietly for a while, VoIP is starting to hit the mainstream, but there are problems that all potential
VoIP users should be aware of. Because VoIP uses a transport mechanism that is NOT designed for a continuous stream
of information, there is risk with loss of information. According to an
article at Security Pipeline, as
little as a 1% loss of information can start to cause trouble with call integrity, with a 5% loss effectively
destroying the usefulness of the transmission. The information packets being used for transmission are designed
to survive arriving out of order, which a continuous stream of speech is not able to handle. The other downside
listed by the article, which VoIP providers tend to gloss over, is the insecurity inherent in the system. There
is no native encryption on the packets, allowing a growing number of tools to eavesdrop on VoIP connections with
complete success (without the users being aware of it). Encryption options add a noticeable lag to transmission,
which can be unsuitable for a number of users. The technology is also prey to the same flaws affecting routine
http traffic (i.e. normal web traffic), of slow networks, Denial of Service attacks, client side malware, and power
outages removing service. In a closed system, where integrity can be achieved, VoIP is a viable solution (even
though it eats bandwidth), but the technology still has a little way to go before it is ready for prime time usage.

As a followup to the earlier reported breach of up to 40 million credit cards through processing firm, CardSystems,
they claimed at the US Congress hearing convened to cover the issue, that it was
not their fault that they had been breached, it was the
fault of the auditors and consultants that they had brought in to conduct a CISP audit on their systems. Never
mind that the audit was 17 months before the breach was initially reported, and there is no indication that the
audit was for all systems belonging to CardSystems, and not just the payment processing systems (the breach was
from a separate system which had been storing the numbers for later analysis). As was suggested earlier, this
is one element of the blame game, as the different parties involved point their fingers in all directions, but
at themselves, accepting responsibility for their own actions.

A recent Internet Storm Centre Diary entry gave a
disturbing example of just what information might be extractable from a simple Google search on a person. The
information that was demonstrated was sufficient to carry out multiple types of fraud, from financial fraud
through to complete Identity theft. Even if you are being careful with your online data entry, you should always
be cogniscent of the fact that you won't always have control over your personal information that is exposed online.
Different Government agencies and bodies may place various records online, with partial information disclosure but
they can then be cross referenced with other results to develop a complete picture. Even though this information
has always been available, it hasn't always been so readily available (i.e. for free, and to everyone).

On a slightly more fun note, a new record has been sent for highspeed
wi-fi connection over distance, at the annual BlackHat DefCon gathering in Las Vegas. The winning team utilised
standard wi-fi cards, spare satellite dishes, and a lot of clever thinking to develop a system which could happily
sustain an 11 Mbit connection for over 3 hours, over a 125 mile (200 km) range, with an observable lag of 12 ms.
The team that achieved the result believe that they can get the distance stretched out to 300 miles, although
curvature of the Earth starts to affect transmission capabilities, and the 2.4 GHz wi-fi frequency is not able to
bend through the atmosphere too well.

Grab a Coffee and Sit Back - 01 August 2005

The increased paranoia since the London attacks on July 7 is seeing a number of
efforts to implement higher levels
of monitoring and privacy data access by various Government agencies. One of the programs being implemented is a
graphical overlay of security incidents over satellite imagery. The admission that the information might be up to
50 layers deep could prove more hindrance than benefit in the long run, by contributing to the information overload.
Recently, the US TSA (Transportation Security Administration) were caught out overstepping their information
collection provisions, and then caught out lying about it. The program in question is the successor to the CAPPS
system, now known as Secure Flight. While the first two incidents are not related directly to the London attacks,
the increased interest in CCTV proliferation and physical searching of travellers is a more direct response.

A new claim, by the same firm that claimed that $200 billion USD in productivity was lost by websurfing at work, is
that free web space services are being used to a greater extent to carry spyware, malware and other inappropriate
content. While the news from Websense is being widely reported, it does not come as a surprise to security
professionals. Any time that a resource is available for free, people will come along and abuse it. At the same
time, others who can not afford their own space will use it to distribute their own valid content. Seasoned Internet
users will understand how simple it is to obtain free Internet space without requiring any form of identity validation,
and they will understand that it is this capability which attracts the seamier side of the Internet.

This highlights a unique property of URLs. As a namespace, they are also a brand space, which allows site visitors to
quickly identify the trustworthiness of a site based on the name in the address bar. Unfortunately, this is also open to
exploitation, as seen by URL obfuscation attacks and phishing exploits, which appear in the browser as a legitimate URL,
with a lot of gibberish attached to the end, but in reality are actually obscured addresses of other sites.

Arising in a discussion which followed the above news was an anecdote which suggests that the lack of trust with these
sort of services nearly brought an individual's undoing. While they were applying for a job, they were contacted by
someone claiming to be from the recruitment agency and to expedite their application, they could fill out a set of
electronic forms. The forms covered some fairly personal details, and the email address did not match up with the
recruiting firm. The end result was that the forms were legitimate, but it is an excellent example of a social
engineering attack (i.e a con) which would be more likely to succeed than most.

An early controversy from the current DefCon conference in Las Vegas involves rumoured attempts at censorship by Cisco.
The researcher in question has resigned their position with a
commercial security research company (ISS), in order to present the information about Cisco router vulnerabilities. The
content of his presentation, meant to be included in the conference notes, had been physically ripped out of each copy
of the notes, and the suspicion is that Cisco applied pressure to ISS and DefCon to prevent the presentation which would
publicly damage them. Cisco and ISS went so far as to file a restraining order against the researcher, and DefCon.
DefCon is one of the best known hacker conventions held each year, and public announcement of security vulnerabilities
in the forum is guaranteed to attract interest from both sides of the Information Security spectrum.

The researcher in question ignored these actions in order to present on how vulnerable Cisco networking equipment was to
compromise. But, in order to do this, he submitted his resignation from ISS in order to present as an independent.
The vulnerability used to demonstrate the attack had been patched in April, but it was stressed that the attack would
succeed against any memory overflow vulnerabilities.

Because Cisco hardware supports a significant percentage of the Internet's infrastructure, the vulnerabilities disclosed
at DefCon could have significant, wide ranging effects. Historical weaknesses have largely been only Denial of Service
style attacks. The recently announced vulnerabilities are much more serious, allowing the attacker to run code of their
choice on the equipment (essentially a total compromise of the hardware). The difference with attacks targeted at
network hardware is that attacks directed at computers allow for control of a computer, but attacks directed at network
hardware allow for control of the complete network.

The recommendation for operators of Cisco equipment is to continually ensure that they keep their hardware up to date
with the latest patches and updates.

The fallout from the announcement of the vulnerabilities has caused deep division in the security community, lining
those who believe in Full Disclosure up against everyone else. The release of the information is a perfect example of
information wanting to be free. The attempt to suppress the release only made it more desirable for people to get
possession of it. It guaranteed that far more attention will now be directed at Cisco products where, before, the
content of the presentation might have been lost in the background noise at DefCon.

According to at least one analyst, the information released at DefCon was the result of information previously published
on a Chinese site. The advisory released by Cisco supposedly protects against the actual vulnerability that was being
investigated at the time (but does not prevent the theory being described from working against other flaws), and is in
relation to the IPv6 implementation on their hardware. If router owners have applied the update from April, they will be
protected for this one instance of the flaw. IPv6 is the next generation of Internet addressing, and is designed to
provide enough address space for all possible devices that could connect to a network / the Internet. The current
Internet addressing model, IPv4, is rapidly running out of space for new devices, and it has resulted in the creation
of NAT addressing, which allows one public IP, even though numerous other devices are accessing the network from behind
it.

Some people are annoyed that Cisco did not announce the fix, instead they 'streamlined' it with the April update.
It looks like the spin being applied by Cisco and ISS PR representatives is contradictory. If the techniques
described are not critical, as these companies are trying to elaborate, then why are they entering crisis mode in
trying to suppress the availability of the information released? Cisco representatives even posted to security mailing
lists telling everybody to ignore the document that most had in their possession, and to forget what they had read.
This technique doesn't work, as various companies have found, such as Microsoft losing part of their Windows source
code (via a third party breach), Cisco having their IOS source code stolen, Valve having the source code to Half-Life 2
stolen, and many other cases. Paranoid people have already suggested that this flaw has long been used for Intelligence
agencies and other bodies to surreptitiously tap into traffic of interest, without alerting network managers that
anything is out of place.

Microsoft has released to MSDN members the first beta release of their upcoming Windows release. Originally known as
Microsoft Longhorn, the renamed version is Microsoft Vista, and also includes the first beta released of Internet
Explorer version 7. For web developers and standards advocates, it appears that the rendering engine for Internet
Explorer 7 has not been modified from the previous versions. Enhancements that it introduces include tabbed browsing,
and a phishing detector.

The early reviews of the releases do little to instill faith in the upcoming products. It appears that IE 7 maintains
most of the flaws that bugged web developers from IE 6, and earlier. The tabbed browsing enhancement brings it into
line with most current browsers, but the User Interface modification that allows the tabs has caused some confusion and
consternation amongst reviewers. The menus (File, Edit, etc) have been removed from the top of the active window to
the line just above the rendered page. This places them below the tabs, and below the address bar. Unfortunately, this
gives the impression that the menus are specific to those tabs, when they are application-wide. This is a major
problem from a UI perspective, and will only cause confusion from less-experienced users. At least it is only the
first beta, so there is some hope that these issues will be resolved prior to the final release.

The phishing filter is also a concern for security minded reviewers. The filter works by reporting the website address
being viewed back to Microsoft, which then compares it against a list of known bad sites, before reporting whether it is
a phishing site. The downside is that there needs to be a certain number of users who succumb to the phish before the
Microsoft solution will be able to identify the site to others. This requires an extra set of connections for each
website being visited, slowing down the user experience, and has the ability for Microsoft to identify an IP address
and browsing habits even closer than any Internet marketing firm or spyware. The other concern from this is that
phishers rarely establish dedicated domains for their efforts, preferring to use hacked sites, compromised cable or
business systems, or elements of their bot networks. The blacklist established by Microsoft will have the same
potential for abuse which spam blacklists have, and it will be more effective at trapping legitimate sites than
phishing sites.

In an effort to slow down the spate of illegal network connections via unsecured wireless hotspots, people are
beginning to be charged for accessing them without the express permission of the network owners. While using network
bandwidth and resources without permission may be morally reprehensible, and laws exist which dictate penalties for such
access, the rapidly changing nature of small scale networks, and laptop Internet connection technology is a threat to
these laws. The rapid increase in people connecting to networks, in particular the Internet, who are not particularly
Information Technology savvy has created a strange void where a user may be unknowingly connecting to a wireless access
point that another person has unknowingly left unsecured.

For people who actively seek out unsecured networks, increasing the size of their receiving antenna helps them to pick
up weak signals, such as might arrive in a carpark after being attenuated by the walls of a building, or it allows them
to access networks at a range much longer than normal. One of the most common, and cheapest techniques for increasing
the size of an antenna is to use a "Pringles" can. The obvious advantages of this approach is that they are commonly
available, cheap, and people carrying them do not draw too much attention, at least until now. A representative of the
Sacramento Sheriff's Departmen Sacramento Valley Hi-Tech Crimes Task Force
stated that "They're[Pringle can antennas]
unsophisticated but reliable, and it's illegal to possess them" (later reporting suggests that this is a mis-quote and
the officer was not inferring that it was illegal to own or use them, but they should be - by treating them like
burgling tools which are illegal to possess). While this statement appears counter-intuitive, it actually relates
back to use of the electromagnetic spectrum for transmission of data.

With most wireless Internet access operating
on the 2.4 GHz band (the same as your microwave), there are strict rules and compliance required to operate a
transmission station. Modification to an approved device will render the device non-approved (as per section 15
of the FCC rules), and it should then cease to be used for transmission purposes. The other aspect is illegal network
usage and resource consumption, as covered by a number of anti-hacking and computer misuse laws. However, given that
most antenna modifications are homebuilt, another section of the FCC rules (15.23) appears to allow the use of them,
provided that basic restrictions are followed.

TippingPoint, a subsidiary of 3Com, has announced that they will be buying vulnerabilities from security researchers,
in an effort to stop them from publicly releasing security vulnerabilities which can be turned into active exploits by
hackers. Various security lists have debated the ethics and morals behind such an idea, and how it can introduce
unwanted liability for the purchasing party. With payment for vulnerabilities, it forces researchers, who want to get
paid, to lose their anonymity. Quite a number of independent researchers have had poor working relations with the major
software vendors, and are likely to balk at the suggestion that they hand over their hard work for someone else to work
with, knowing that the software vendors will know who they are. Because of the perceived bad treatment, quite a number
of security researchers have developed a strong desire to be a thorn in the side of some software vendors, either out of
spite, or as an attempt to force them to acknowledge their software flaws, and improve upon them. Anecdotal evidence
suggests that this is not the first time that 3Com has taken to paying for vulnerability reports. A number of other
companies also offer bounties to internal teams for discovering bugs in flagship products.

The oft-repeated reason for implementing a plan like this is that if someone is capable of breaking in to your systems,
then you would be better off paying them to keep your systems safe from other hackers (and themselves). The drawback
to this approach is that it is essentially a willing form of 'protection money', or legalised extortion, and only lasts
until the next hacker with a chip on their shoulder comes along and breaks in. Historically, this was known as
'Danegeld' in the British Isles - the protection money payed to the Vikings to get them to stay away.

The idea of paying researchers for newly discovered vulnerabilities has opened a proverbial can of worms amongst
security minded individuals, with a fair mix of individuals arguing vehemently for both sides of the argument - that
such actions are, and aren't, ethically and morally permissible.

Some have come out to say that the vast majority of security fixes amount to a single character in a single line of code
being changed. They then go on to argue that the delay in creating and distributing these fixes causes problems as
ethically bound security researchers run out of patience for an official move from the vendor.

The intentions of the company that is going to pay for the vulnerabilities has been called into question. Their main
commercial product is an IPS, an Intrusion Protection System. The company would stand to gain significantly from
suppressing announcement of vulnerabilities reported to them. By sharing this privileged information with their
customers, protecting them against the exploits for that particular vulnerability, it gains them more value for the
longer periods that they can extend the time before public announcement.

Finally, in Russia it appears that some people have finally had it with Spam in their email . The Russian spammer
responsible for the most Russian spam, Vardan Kushnir, was found beaten to death in his Moscow apartment at the start of
last week. Vardan was responsible for spamming almost every Russian email address with spam for his English learning
centres, 'The Centre for American English', 'The New York English Centre', and 'The Centre for Spoken English'. It is
estimated that more than 200 million emails were sent out for these centres. A number of observers have opined that it
is impossible to annoy so many people and not expect some sort of retribution once you get discovered, even if that
retribution was, itself, illegal.

Rumours are surfacing that the spammer's death was the responsibility of the Russian Mafia, and that, due to his profile
in the spamming business, he was killed because of some indiscretion. The Russian Mafia appears to be the leading
organised crime body which is utilising modern technology as a part of their crime activities. Distributed Denial of
Service attacks are threatened against online casinos or other high cashflow online entities, spam is sent for profit,
worms and viruses are created and distributed to obtain machines for zombie networks, and to leak personal financial data,
phishing takes place to gain access to banking accounts online, and an ability to drain them at will.